* feat(bp-velero): Hetzner Object Storage backend wiring (closes#384)
Velero on a Hetzner Sovereign now writes its backups DIRECTLY to Hetzner
Object Storage per ADR-0001 §13 (S3-aware app architecture rule) +
docs/omantel-handover-wbs.md §3 — NOT SeaweedFS, which is reserved as a
POSIX→S3 buffer for legacy POSIX-only writers and is not in the minimal
Sovereign set.
Mirrors the Hetzner-direct backend pattern Agent #383 is wiring for
Harbor; both consume the canonical flux-system/hetzner-object-storage
Secret shipped by issue #371 (cloud-init writes 5 keys: s3-endpoint /
s3-region / s3-bucket / s3-access-key / s3-secret-key, derived from
the operator-issued Hetzner-Console keys + the per-Sovereign bucket
provisioned by OpenTofu's aminueza/minio resource).
platform/velero/chart/ (umbrella chart, bumped to 1.1.0):
- templates/_helpers.tpl: NEW — bp-velero.fullname / bp-velero.labels
helpers + bp-velero.hetznerCredentialsSecretName (default
`velero-hetzner-credentials`).
- templates/hetzner-credentials-secret.yaml: NEW — synthesises a
velero-namespace Secret with a single `cloud` key in AWS-CLI INI
format from .Values.veleroOverlay.hetzner.s3.{accessKey,secretKey}.
The upstream Velero deployment mounts this at /credentials/cloud
via existingSecret + AWS_SHARED_CREDENTIALS_FILE. Skip-render path
when veleroOverlay.hetzner.enabled is false (default — keeps
contabo render clean) or useExistingSecret is true (operator
supplied Secret out-of-band).
- values.yaml: BSL provider/region/s3Url/bucket fields populated as
placeholders the per-Sovereign HelmRelease overrides via Flux
valuesFrom; backupsEnabled defaults FALSE so default render emits
no half-broken BSL; veleroOverlay.hetzner block surfaces the
operator-overridable fields. Long-form rationale comments inline
on each value per the chart's existing docstring style.
clusters/_template/bootstrap-kit/34-velero.yaml (+ omantel + otech):
- dependsOn: bp-seaweedfs REMOVED — Velero is no longer a SeaweedFS
consumer on Sovereigns (was the old SeaweedFS-tiered architecture
that minimal-omantel retired in favour of cloud-native S3).
- chart version bumped 1.0.0 → 1.1.0.
- valuesFrom block added: 5 Secret-key entries pull each canonical
s3-* key into the matching umbrella value path. Plaintext
credentials never appear in the committed manifest; Flux
dereferences valuesFrom at HelmRelease apply time.
- values block adds the baseline veleroOverlay.hetzner.enabled=true
+ velero.credentials.{useSecret:true,existingSecret:velero-hetzner-
credentials} + BSL provider/credential/s3ForcePathStyle scaffolding
that the valuesFrom entries fill in.
docs/omantel-handover-wbs.md:
- §2 row 19: "❌ chart needs S3 endpoint rework" → "🟢 chart-released
v1.1.0 — Hetzner Object Storage backend wired to #371 secret".
- §9 #384 row: detailed status with smoke evidence.
Smoke evidence (contabo, default values — no Hetzner credentials):
- helm template t . → renders cleanly (no Hetzner Secret, no BSL).
- helm template t . --set veleroOverlay.hetzner.enabled=true \
--set ...accessKey=AK_TEST --set ...secretKey=SK_TEST \
--set velero.backupsEnabled=true (+ BSL config) →
Secret/velero-hetzner-credentials with `cloud` INI key emitted +
BackupStorageLocation/default with provider=aws,
bucket=omantel-velero, region=fsn1,
s3Url=https://fsn1.your-objectstorage.com.
- helm install velero-smoke . -n velero-smoke (defaults) → pod
velero-69bb84c5-669sh Ready 1/1 in 48s. Smoke torn down clean.
Hetzner-S3 E2E deferred to Phase 8 (first omantel run) — contabo has
no Hetzner Object Storage credentials so end-to-end backup→restore
verification can't run here.
Anti-duplication rule: NO bash scripts authored, NO parallel
implementations of upstream Velero functionality. Upstream Velero +
velero-plugin-for-aws natively support any S3-compatible backend; the
work here is values + a credential-shape adapter Secret, not a fork.
Closes#384.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(scripts): drop bp-seaweedfs dep from bp-velero expected DAG (#384)
Mirrors the dependsOn removal in clusters/_template/bootstrap-kit/34-
velero.yaml from the parent commit. Velero on Hetzner Sovereigns now
writes directly to Hetzner Object Storage (ADR-0001 §13 + WBS §3); no
in-cluster prerequisite Blueprint is required.
Local `bash scripts/check-bootstrap-deps.sh` now passes (0 drift,
0 cycles). The CI failure on the parent commit's PR was the audit
flagging bp-velero as having a missing edge to bp-seaweedfs because
this expected-DAG file still listed it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
f7796ef807